Queen of San Diego — Tech Blog

Under the hood at queenofsandiego.com

```html

Building a Multi-Domain Executive Reporting System: AWS Lambda, SES, and Strategic Infrastructure Audits

Over the past development session, we built and deployed a comprehensive executive reporting framework across the QueenofSanDiego portfolio. This involved creating automated SES-based distribution pipelines, deploying critical infrastructure audits, and establishing the foundation for data-driven decision-making across four business entities and three ancillary assets. Here's how we did it and why the architecture matters.

The Problem Statement

The portfolio—spanning JADA (luxury yacht charters), QueenofSanDiego (brand/events), QuickDumpNow (waste logistics), and DangerousCentaur (entertainment)—was operating without unified visibility into financial health, technical debt, or operational performance. There was no systematic way to surface critical shortfalls to decision-makers. We needed a scalable, repeatable system to generate role-specific reports and distribute them securely.

Architecture: Report Generation and Distribution

File Structure:

  • /Users/cb/Documents/repos/tools/send_exec_reports.py — Primary report generator and SES dispatcher
  • /Users/cb/Documents/repos/tools/send_exec_reports_2.py — Variant for A/B testing and iterative improvements
  • /Users/cb/Documents/repos/sites/queenofsandiego.com/tools/shipcaptaincrew/lambda_function.py — AWS Lambda handler for ShipCaptainCrew (real-time checklist and event management system)
  • /Users/cb/Documents/repos/sites/queenofsandiego.com/tools/shipcaptaincrew/frontend/index.html — Single-page frontend for crew and captain workflows

Why Python for Report Generation? Python's ecosystem (boto3 for AWS, templating libraries) made it the natural choice for generating complex, multi-stakeholder reports. The reports themselves were data-driven narratives—pulling from project handoffs, environment configs, and historical session logs—then formatted as structured email bodies via AWS SES.

SES Configuration and Email Delivery

We leveraged AWS Simple Email Service (SES) for distribution. The key configuration involved:

  • Verified Sender: admin@queenofsandiego.com (verified via Route53 CNAME validation)
  • Recipient: Primary delivery to c.b.ladd@gmail.com with BCC to admin account for audit trail
  • Environment Variables: SES credentials stored in repos.env, never hardcoded
  • Authentication: IAM role attached to execution context (local dev or Lambda) with ses:SendEmail and ses:SendRawEmail permissions

The report dispatcher ran through the following logic:

1. Load SES credentials from repos.env
2. Generate 5 role-specific reports (CEO, CTO, CMO, CFO, Accounting Officer)
3. Format each as HTML email body with role-specific metrics and KPIs
4. Batch send via SES client (throttled to respect SES limits)
5. Log delivery status and any failures to CloudWatch

Why Not SNS or SQS? For this use case, direct SES delivery was more appropriate because: (1) we needed direct control over email formatting and headers, (2) the volume was low and predictable (5–8 emails per run), (3) we could retry failures synchronously without queuing complexity, and (4) it reduced cost overhead of additional services.

Report Content: What Each Stakeholder Needs

CEO Report: Inventory of all 4 operating entities, 8 critical shortfalls (empty sales pipeline, zero revenue tracking, crew equity exposure, zero OTA listings, undefined billing models), 9 missing KPIs, and a 30-day action plan prioritized by ROI impact.

CTO Report: Stack-by-stack security and performance audit across JADA, QOS, QDN, and DC. Flagged: hardcoded Stripe keys in repos, plaintext environment configs, unauthenticated Google Apps Script endpoints, absence of WAF protection. Cost analysis identified ~$25/mo in AWS savings. Included 10-point remediation roadmap and dev cycle gaps (no CI/CD, no staging, no automated rollback).

CMO Report: Channel-by-channel visibility matrix. Prioritized immediate blast email to 3,676 subscribers (modeled at $10K–$50K concert booking potential). OTA sequencing: Sailo first (lowest friction), GetMyBoat next, then Viator/Getyourguide post-proof-of-concept. Local SEO roadmap for QuickDumpNow.

CFO Report: Burn rate model (~$7–9K/mo), tiered capital deployment framework (zero-cost optimizations → low-cost wins → revenue-producing features → do-not-deploy categories). Break-even at 6 charters/month. Monthly revenue targets through Q4 2026. Three non-negotiable financial rules to enforce.

Accounting Report: Revenue recognition gaps, chart of accounts skeleton, expense audit by category, and a 4-milestone roadmap to profitability through Q1 2027.

ShipCaptainCrew Deployment: Infrastructure Backbone

Parallel to report generation, we made substantial improvements to ShipCaptainCrew, the real-time event and checklist platform:

  • Lambda Handler: lambda_function.py received 15+ iterative edits, culminating in: JWT-based authentication (HMAC-SHA256), event creation/retrieval endpoints, checklist state management, magic-link auth token generation, and role-based access control (admin, captain, crew, guest).
  • Frontend: index.html updated to render timing panels (departure/return calculations), checklist UI with claim functionality, and role-gated modal access.
  • Deployment: Lambda packaged via CloudFormation, frontend deployed to S3 and invalidated via CloudFront cache flush (distribution ID in AWS console).

Why JWT over session cookies? JWT tokens are stateless, work seamlessly in serverless contexts (no persistent session store), and can encode role/permission claims directly in the token. We used short TTLs (~15 min) for security, with refresh logic to maintain UX.

Key Infrastructure Decisions

  • Environment Isolation: Separated development repos in /Users/cb/Documents/repos/ from production-facing assets in S3/CloudFront. Local testing before every deploy.
  • Source of Truth: Project metadata stored in /Users/cb/Documents/repos/agent_handoffs/projects/shipcaptaincrew.md, keeping architecture decisions linked to implementation.
  • Syntax Validation: Pre-deployment Lambda syntax checks via python -m py_compile prevented runtime errors in production.
  • Atomic Deployments: Zipped Lambda code with dependencies, deployed as single artifact. Frontend deployed atomically to S3 with CloudFront invalidation to ensure all users see consistent versions.

What's Next

This infrastructure is now primed for:

  • Automated Report Scheduling: Wire the report generator into Event